Giters

elastic / detection-rules

Home Page:https://www.elastic.co/guide/en/security/current/detection-engine-overview.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Rule Tuning] AWS Route Table Modified or Deleted

leandrojmp opened this issue · comments

commented

Link to rule

AWS Route Table Modified or Deleted

Description

This rule looks for the actions:

  • ReplaceRoute
  • ReplaceRouteTableAssociation
  • DeleteRouteTable
  • DeleteRoute
  • DisassociateRouteTable

With the event.profider as cloudtrail.amazonaws.com, but those actions are EC2 actions, so the provider will be ec2.amazonaws.com.

WIth its currents filter it seems that this rule will never trigger.

Example Data

Current filter with event.provider as cloudtrail,amazonaws.com
Screenshot from 2024-03-08 15-24-29

Usgin event.provider as ec2.amazonaws.com
Screenshot from 2024-03-08 15-24-51